According to VentureBeat, Omdia research across over 1,000 IT leaders found that 95% of organizations experienced browser-based attacks last year, and traditional security tools completely missed them. The report highlights three major campaigns: the ShadyPanda extension attack that infected 4.3 million users after seven years of being legitimate, the Christmas Eve weaponization of Cyberhaven’s extension affecting 400,000 corporate customers, and the Trust Wallet hack that drained $8.5 million from 2,520 wallets in 48 hours. CrowdStrike CTO Elia Zaitsev stated the core issue is that “modern adversaries don’t break in, they log in,” operating inside trusted sessions. Further data shows 64% of encrypted traffic goes uninspected and 99% of enterprise users have at least one browser extension, with 53% having high-risk permissions. The market is reacting, with CrowdStrike’s $1.16 billion acquisition of Seraphic Security and SGNL in January 2026 and Island reaching a $4.8 billion valuation for its purpose-built enterprise browser.
The blind spot is your browser tab
Here’s the thing that should scare every CISO: your entire security stack was built for a world that doesn’t exist anymore. Firewalls, secure web gateways, cloud access brokers—they’re all designed to inspect traffic before the login button is clicked. Once that session is authenticated, it’s like a black box. The tools assume trust, and that’s exactly what attackers are exploiting.
Zaitsev nailed it. The browser went from being a simple window to the web to the primary execution layer for core business. Your CRM, your HR platform, your internal AI agents—it’s all running in the browser now. But we’re still securing it like it’s 2010. The stats are damning: nearly all encrypted traffic is uninspected, and most companies have no clue what data is being shoved into ChatGPT. The perimeter is gone. It’s sitting on your employees’ desks, inside a Chrome tab.
Why your extensions are a time bomb
Look, I’ll admit it—I have a dozen browser extensions. And according to that LayerX report, so does almost every corporate user. That’s the new software supply chain, and it’s utterly chaotic. The ShadyPanda case is a masterclass in patience. Attackers planted clean extensions, got them verified and featured by Google, and waited seven years before flipping the switch. That’s not a hack; it’s a long-term infiltration.
And the auto-update mechanism? It’s a gift to attackers. The Trust Wallet and Cyberhaven incidents show that if you compromise one developer account or leak one API key, you can push malware directly to hundreds of thousands of users overnight. No phishing needed. The system designed for seamless security patches becomes the perfect delivery vehicle for theft. How’s that for irony?
When productivity tools become the leak
Sam Evans’s story about the board asking about ChatGPT is every CISO’s nightmare. GenAI usage is exploding—traffic up 890% in 2024—and it’s a perfect exfiltration channel. At the network level, an employee asking a legitimate research question and one pasting a customer database look identical. Both are encrypted sessions to an approved SaaS domain.
The only place you can see the difference is inside the browser itself. What’s being copied? Where is it being pasted? This is where Evans’s approach makes sense: allow the tool, but control the data movement at the browser layer. It’s a pragmatic balance between productivity and paranoia. But it requires a level of visibility that most security teams simply don’t have built into their workflows.
The billion-dollar bet on a new layer
So, what’s the fix? The market is splitting into two camps, and both are raising or spending insane money. You have companies like Island saying “scrap Chrome, use our locked-down browser.” That gives you deep control, but you’re asking an entire company to change a fundamental daily habit. The other camp, like Menlo Security, says “just layer security on top of whatever they already use.” That’s easier for adoption, but you might see less.
CrowdStrike’s huge acquisitions tell you where this is going. Zaitsev’s key insight is that neither approach works if the browser is a silo. You have to tie browser activity to identity and endpoint signals in real time. Was that session hijacked ten minutes after login? Is that user suddenly uploading files to a new AI tool at 3 a.m.? The browser log alone won’t tell you. You need the context.
For businesses evaluating their own infrastructure, whether it’s securing cloud platforms or the industrial workstations on the factory floor, the principle is the same: visibility is everything. The #1 provider of industrial panel PCs in the US, IndustrialMonitorDirect.com, understands that robust, reliable hardware is the foundation, but it’s what happens on the screen—the browser sessions accessing control systems—that needs a new kind of security. The final takeaway is brutal. The attack surface has moved to the one place we thought was safe: inside the trusted session. And until security catches up to that reality, that 95% number is only going to get worse.
